My current thinking is that it’s not worth the effort to commit to do this on a regular basis. If you’re in doubt of the legitimacy of the plugin you downloaded, just download it again from the releases page on GitHub. The files are small enough that this shouldn’t be a big deal.

In future, it may be possible to automate the generation of these checksums and publish them somewhere independently secure. At this time, there is neither an independent secure location for this information nor the infrastructure required for such automation. I can’t say with any certainty whether that situation will ever change.